Saturday, January 21, 2012

Password Recovery for FSI Amilo Pi Laptops

I received numerous emails in the past from owners of Fujitsu-Siemens Amilo Pi laptops that got locked up beyond recovery: in a nutshell, a BIOS update or some other minor event has caused the password checksum to be overwritten by a seemingly random number above 2^14 (16384). In conjunction with the butchered CRC16 implementation courtesy of Phoenix, this basically means that there are no valid passwords for checksums above that number, i.e. the laptop has become an expensive paperweight.

However, there is a small backdoor, and that is the BIOS emergency recovery: it's basically the last resort to recover from a bad BIOS update. I've patched out the password check from the binary so it can be used to reset the machine  to a valid password. Here's a quick how-to:
  1. Get a USB floppy drive and a floppy disk - format the disk to FAT16.
  2. Copy the BIOS file (pi1505, pi1536, pi1556, pa2510) as "bios.wph" to the root directory of the floppy.
  3. Remove the battery and power cord from the laptop.
  4. Connect the USB floppy drive to the laptop, then insert the battery, then the power cord.
  5. Press both Ctrl+Home keys while actuating the power button. Keep Ctrl+Home  pressed for another 2-3 minutes.
  6. The BIOS is being reflashed - after that, the machine should reboot on its own.
  7. When it boots up, go to setup and set new passwords. If you get asked for a password, just enter a few random characters.
  8. Boot the laptop up again, re-flash the vendor BIOS.
  9. Go to the BIOS, reset all passwords.
That should unbrick your laptop.

mtmarco has posted alternative instructions on amilo-forum.com.

Tuesday, December 27, 2011

Conrado strikes again

Another fraud victim has sent me an email with this:
It has the same quality as Conrado Davila's previous fraud: he modified my code a bit (removing the GPL license, attributions, etc.), claiming this time that it can calculate Toshiba unlock codes, and sold it to some guy for $460. Interesting, the payment went to "Luis Eugenio Davila de Garate". He probably has burned his personal paypal account and is tapping into the account of a relative now.

In other news, here are some of his clumsy attempts to advertise on youtube, and here is a fan site which he created with all of his skills in a pretty lame attempt to extort me to retract all the information about his scams...

Update 11/1/12: Conrado's getting desperate:


Update 7/5/12: Another victim...

Sunday, October 9, 2011

Dell 1D3B

Surprisingly, it was even easier than older models:
Dell Laptop Master Password Generator.
Copyright (C) 2011 dogbert; 2007-2010 hpgl
Short service tag should be right padded with '*' up to length 7 chars
HDD serial number is right 11 chars from real HDDSerNum left padded with '*'
Some BIOSes has left pad HDD serial number with spaces instead '*'
Input: #ABCDEFG-1D3B
09.10.2011 22:42 DELL service tag: ABCDEFG-1D3B password: xvn0qEeftqyrkG52

In light of this (and this), a pack of monkeys looks sophisticated in comparison to Dell engineers. Also, please don't even bother to send me emails: you're just wasting both our time.

P.S.: DELL service tag: #NOSOUP4-3A5B password: zvd97y9h

Monday, September 5, 2011

"Donate" Button

I've been asked a few times to accept donations. Please find a button linking to Animal Rescue International on the right side - I'm quite certain that your donations are better off with them.

Sunday, July 31, 2011

Free Unlocker for Palm/HP Phones

A few weeks back, I ditched my iPhone for good and got my hands on a used Palm Pre. Unfortunately, it was net-locked by the provider. Fortunately, the modem is Qualcomm device and hence, all security features can be bypassed so easily that they appear meaningless in the first place. I've written unlocking scripts that work on every webOS phone, i.e. Palm Pre (Plus), Palm Pre2, Palm Pixi (Plus), HP Veer, or HP Pre3. You do not need a SIM card for obtaining the unlock code, and the unlock is perfectly safe, i.e. you can't brick your device. Here's a quick how-to:
  1. Install python 2.6.x (32 bit/x86 version): http://www.python.org/download/releases/2.6/. Python 3.x will not work.
  2. Windows: Install pywin32 for python 2.6: http://sourceforge.net/projects/pywin32/files/
  3. Install pyserial: http://sourceforge.net/projects/pyserial/files/
    Linux: Use your packet manager to install the required libraries, e.g. sudo apt-get install python-serial for Debian based distributions (Ubuntu, Mint, etc.) 
  4. Download the unlocker (Pre/Pre2/Pixi, or Pre3/Veer) and unpack it (e.g. into the directory C:\unlock)
  5. Calculate the USB passthrough key: go to device info, write down the "Serial Number", and use pre_keygen.py to generate the key from this number. The serial number is also printed on the back of your device and/or underneath the battery.
  6. Start the phone without a SIM card, then start the dialer. If the phone has not been activated before, you can either select "emergency call" with the icon from the notification area at the bottom (Pre, Pre2, Pixi) and delete the number (911, 112 etc.), or just type "BZ" (#*) blindly on the keyboard (Veer, Pre3). Enter "#*USBPASS# (#*8727277#) in the dialer application and press the dial icon.  A window will appear which asks you to enter the passthrough key. After you've done that, select "Diag" for the "USB PORT 1" (only for that port, the rest has to be set to "None").
    If you have trouble enabling the passthrough mode, bypass the activation, install Preware and install the "Enable USB Passthrough" application from Preware.
  7. Windows: Connect your phone to your machine and install these drivers for the serial diagnostics port (not the R-ACM or any other device). The first time you plug in the phone in diagnostics mode, Windows will ask you for drivers. You can also force the driver installation in the device manager by right-clicking the unknown serial port under "Other devices" and selecting "Update drivers". You might have to acknowledge a few warnings about broken driver signatures.
    Linux: Insert the module usbserial module with vendor and product parameters matching the vendor and product ID (lsusb), e.g. sudo modprobe usbserial vendor=0x0830 product=0x8043. You have to make the device file (usually /dev/ttyUSB0) accessible to regular users, or you have to run the unlock script with root privileges.
  8. Run pre_unlock.py / pre3_veer_unlock.py and write down your network unlock code.
    If the serial port is not found automatically or if the search is stuck, you can specify it as a command line parameter. Open up a command prompt, navigate to the directory (cd \unlock) and run the unlocker, e.g. pre_unlock.py --diagPort COM5
    If the firmware version has not been recognized, update your device to either the latest webOS 1.4.x or 2.x version. If you don't have a Palm account, you can obtain the updater here.
  9. Disable the passthrough mode: enter "#*USBPASS# (#*8727277#) and press the dial icon again. Set "None" for "USB PORT 1".
  10. Shutdown the phone. Put in a SIM card that is not accepted by the phone and boot it up again. You might have to bypass the activation mechanism.
  11. Carefully enter the network unlock code obtained in step 8. If it gets rejected, please contact me with the perso.txt file that has been saved to the directory of the script. Reboot and enjoy your unlocked phone.
    If and only if the unlock code does not work for you ("Enter Unblock Code"), try running the script with the parameter --writeBack from the command prompt, e.g. pre3_veer_unlock.py --writeBack. After it has completed successfully, reboot your phone and it should be unlocked.
    If you need to activate your phone, but your carrier does not support data services, you can try this.
The script should also work for Linux, MacOS, BSD and any other system which has drivers for the USB diagnostics mode and a python interpreter. I'd like to know whether this worked for you, so please leave a comment. Also, all sources of the unlocker have been released under the terms of the GPL. Feel free to hack away with them.

Tuesday, April 26, 2011

Shmuck of the Week: Alexis Toledo / novatec / biosremoval

Here's another guy selling passwords to people for ludicrous prices: $35 for 2 minutes of work - not bad. You'd think that he can afford a nice website by now, but it still looks like the final project of a community college web design class in the nineties:



Thankfully, his apparent lack of discernible technical knowledge made it very easy to find docs:
alexis toledo 
422 mystic ave
somerville, MA 02145
US
781-330-1378


Another address of someone who is involved with this is: 
Edisley Sousa
6xx American Legion Hwy
Rosindale, MA 02131 
US


There's a bunch of websites and accounts he operates under:
biosremoval.com
novatecdirect.com
revertendotecnologia.com.br
palmastec@gmail.com
hi5geeksolutions@gmail.com
biosremoval@gmail.com
youtube.com/user/alexisakaedisley

I've been collecting his stuff long ago, but never had the time to award him properly until he sent me this reminder:
Guess what...

If you ever have been foolish enough to send this guy money, please contact the paypal fraud department.

Update 1: I just love emails like that.



Update 2: Alexis resorts to empty threats in LARGE LETTERING. I won't be able to sleep tonight :(.


Update 3: Another victim has come forward...

Thursday, March 31, 2011

Roll Call - State of Electronics

The trailer of Karl von Moller's latest documentary gets my mouth watering:


Roll Call - State of Electronics from karl von moller on Vimeo.


Hopefully, it'll be out soon.

Sunday, March 6, 2011

Shmuck of the Month: Sony

Two types of companies exist: those which are growing and those which are dying. Sony clearly belongs to the latter for over a decade now. The high level of engineering that once made their products excel has been replaced by bland mediocrity and delusional control ideas that are manifested in recent Sony products such as Bluray, the PS3, etc. In their latest act of desperation, they are suing a couple of guys who have successfully hacked the PS3 to bring Linux back to the console after it has been illegally removed in a firmware update. The flaws they used to obtain access to the multi-millon dollar security system can almost solely be attributed to crass design blunders that would have been completely avoidable in the first place.

Sony has a line of laptops ("Vaio") which compete mainly in the high value market segments. They implemented a master password bypass which is rather sane in comparison to the rest of the bunch:
  • The randomly generated master password is only stored in RAM, e.g. it's lost after the next reboot ("one time password").
  • RSA is used for encrypting the password which is then converted to a human-readable form (4x4 characters/8 bytes/64 bits).
  • Their customer support apparently allows for one free password generation per device which is pretty decent by the industry standard.
However, they screwed up by choosing a key length that is just 64 bit and hence too small: an unoptimized python implementation of a general number sieve yields the factors of the key in less than a minute. With these, writing the generator script is an easy exercise:
python pwgen-sony.py
Master Password Generator for Sony laptops (16 characters otp)
Copyright (C) 2009-2010 dogbert

After entering the wrong password for the third time, you will receive a code from which the password can be calculated,
e.g. 73KR-3FP9-PVKH-K29R

Please enter the code:
D63K-XFVF-TK7H-RJKX
The password is: 43878945

 
I'm not the first one who discovered this: hpgl also reversed this scheme quite a while back. There are even some idiots on eBay who sell these master passwords. Given that my stuff has been exploited by so many greedy idiots in the past, I decided against releasing it. This will hopefully also help to reduce the influx of stupid emails from *@hotmail.com users.
Update: Since I still get a substantial amount of email concerning pwgen-sony.py, let me be perfectly clear: I will neither send you the generator nor generate codes for you. I am not interested in selling the script nor am I a substitute for the Sony support or the lack thereof. Also, I do not endorse nor am I affiliated to any shady service that sells passwords or generators. In fact, I'm in the sole possession of the script so anyone claiming to sell the script to you is clearly attempting to defraud you.

    Wednesday, February 9, 2011

    Shmuck of the Month: Conrado Davila / laptoprebirth.com

    Among the many contestants for this award, there are always some who stand out as exceptionally smug. Conrado has successfully gained access to this select class of people. This is an email from the first time he tried to contact me:
    By stating that he is "involved in the world of laptop hacking", he actually means that he defrauds people by selling them my stuff for only 40-50 $/password on his website:

    Among the clusterfuck of typographical mistakes and perspective errors in his graphics, he has thankfully put his full name and address in the whois record of the domain:
    laptoprebirth.com #17036
    conrado davila (conradodav@hotmail.com)
    eugenio sue 1279 colinas de san jeronimo
    Monterrey
    ,41600
    ES
    Tel. +34.955842323
    respectively
    NAME: Conrado Dávila de Gárate
    ADRESS: La Luisiana #3
    CITY: ARAHAL (SEVILLA)
    COUNTRY: SPAIN
    POSTAL CODE: 41600
    I'm sure that the local DA has an extensive record on him.

    The icing on the cake, however, is his sale of my GPL'd code to some gullible sucker for big bucks. That guy actually wanted to buy a generator for the Sony one-time-password stuff from him, so Conrado just modified my 5dec script to the effect that it seems to generate the password from the Sony one-time key. Suffice to say that it doesn't work at all since he has no technical expertise whatsoever. The other thing that he conveniently removed is my authorship of the script. Here's his delivery email:
    So this month, the prestigious "Shmuck" award goes to Spain. Congratulations - you earned it!

    Sunday, January 23, 2011

    Yet Another BIOS Broken by Design: InsydeH20



    Seriously, guys? The master password generator is linked in the other post...

    Wednesday, December 22, 2010

    Atmel SecureMemory Key Cracker

    A couple of years ago, Atmel started selling EEPROM chips dubbed as "SecureMemory" (AT88SC153, AT88SC1608). These chips are still in use today on many contact smartcards and other devices.
    Data sectors on that device can be read-/write-protected by requiring a proprietary challenge-response authentication. In addition, these devices also feature a basic password protection which is reasonably easy to circumvent as flylogic has demonstrated. The challenge-response authentication algorithm is vulnerable to a unroll/meet-in-the-middle attack to the effect that the secret key can be guessed from only a few eavesdropped authentication sessions - researchers from the Radboug University Nijmwegen have published a paper on this a couple of months ago.
    I've implemented their attack and recovered keys of several such devices successfully. However, an even more primitive, yet effective vulnerability is a man-in-the-middle attack: an attacker can easily take control of the bus after the authentication / password verification has taken place and inject data at his will. It's not hard to come up with some piece of hardware that does just that.  This is also a successful attack against the successor family, the AT88SC...C devices, which implements a slightly better authentication scheme.

    Tuesday, December 21, 2010

    Facepalm.jpg

    I've been poking around in the BIOS of a Fujitsu Lifebook A530 (source).
    What is wrong with this function:

    Wednesday, October 20, 2010

    Shmuck of the Week: 3_2_1_4you / bluechip82

    Here's another gem from eBay that a reader has sent me:


    3_2_1_4you's apparent lack of technological knowledge ("dos box tools" etc.) is just the icing on the cake. The epitome of his chutzpah, however, is the price at which he's trying to sell my stuff: $85 - just wow. That easily earns him the glorious "Shmuck of the Week" award.

    Update: Apparently, he's now going with the username "bluechip82".

    Saturday, September 11, 2010

    Another One Bites the Dust: HP/Compaq Mini Netbooks

    That was suprisingly easy:


    As always, the script (Windows binary) is released under the binding terms of the GPL - let's sit back and watch the decline of eBay prices and the sudden appearance of my code in the tools of the GSM idiots.

    Update: I got a couple of emails from folks for which the generated passwords didn't seem to work. It turned out that they confused the number "l" for the letter "1" and vice versa. If you find that it doesn't work for you, copy and paste the generated password from the script into an editor which has a legible typeface.